Could Ubuntu be a reasonably secure "just works" alternative to Fedora?

Here are some replies from Jonah in a related previous discussion - Fedora is not a user friendly Linux Distro - #21 by jonah

I’m personally against adding Ubuntu, considering the criteria currently and the list of recommended distros (there are a lot and i think they ‘cover’ a lot of desired use cases), for me it comes down to the release model. And recommending something like Debian testing channel doesn’t help with the usability complaint

*edited to fix link and elaborate:

I actually don’t mind Ubuntu too much myself (i use it when i need a temporary, maximum ‘just works’ distro), I just think including it in the recs alongside the distros with the edge in privacy and security by default would cloud the reasons why some are recommended over others.

IMO it could be worth including a section about Ubuntu more specifically on the Knowledge Base page about Linux, since it is by far the most popular distro and discussing the issues with it from PG’s perspective could help people make a more informed decision about using it.

Currently there’s actually no mention of Ubuntu directly at all.

When I get around to switching to Ubuntu, I plan on sticking with the very latest version of Ubuntu for this reason. Would you know if interim and brand new LTS Ubuntu releases still suffer from those same problems? I kind of assumed updates would be roughly close to Fedora since they both have new releases every 6 months or so.

From what I understand when reading @jonah’s reply and the criteria, it seems like the main issue was with concerns over Snap conflicting with the open source requirement. I also have an issue with snap (as mentioned in my OP) but if lots of people are complaining that Fedora isn’t a very suitable “just works” distro, I think it’s worth exploring adding Ubuntu as a soft recommendation with warnings or disclaimers, just as they do with plenty other recommendations. I also really liked Jonah’s idea on an Ubuntu configuration guide which could go hand in hand with said warning/disclaimer:

I’m not quite sure, but I think the latest Ubuntu releases might be close to Fedora in terms of how up-to-date the software is. I had just asked about it since I’m not entirely sure myself.

Might be a fair point… I don’t recall having much experience with interim releases (which I assume is what you were referring to) though I do plan on giving it a go and comparing it to Fedora. If enough people in the community manage to run the latest Ubuntu releases while being unable to get Fedora to work, I think it’s worth considering adding Ubuntu as some sort of soft recommendation with warnings/disclaimers, perhaps coupled with a configuration guide as Jonah mentioned.

Again, it isn’t just because of my personal preference or whatever. I really think the average person is much more likely to run into issues (without much support to resolve them) on Fedora than on Ubuntu. It’s not just my experience, but also the experience of others on the forum and elsewhere on the internet. Unless there’s something we missed, I think ultimately it would come down to a discussion on exactly where and when PG can “compromise” on a recommendation. It’d make more sense to me if they hadn’t included so many soft recommendations with disclaimers, but since Privacy Guides is full of “compromise” recommendations, I think Ubuntu could fit in just fine.

1 Like

Well, regardless of how i feel about it (which is less about Ubuntu itself and more about my understanding of PG’s recommendations, and the potential of it supplanting Fedora), at this point(after at least three people have brought this up) if it were put to a vote I would vote to add a qualified Ubuntu recommendation.


In my opinion, the worst two things about Fedora are actually:

  1. Proprietary NVIDIA drivers are not installed by default and you need to add them from the RPM Fusion repository. This is somewhat complicated and obscure. However: it’s very likely that by the end of 2024, the open source NVIDIA drivers will be competitive with the proprietary driver(s) in terms of performance, so this won’t remain an issue for a lot of people for very long. NVENC and NVDEC are important, but Vulkan Video will fill the gap. Unfortunately, nothing for CUDA.
  2. Lack of H.264 encoding/decoding support by default. You need to install openH264 from the command line, and you need to know about this. openH264 is also lacking compared to x264. This is becoming less of an issue because large sites like YouTube, Vimeo, Netflix, etc. are serving AV1 videos, which can be decoded by all computers with a software decoder. Additionally, in a few years, H.264 will be patent-free, though whether anything changes in Fedora is up in the air. Edit: this is also alleviated by Flatpak packages like Firefox and VLC, which include decoding support for patent-encumbered codecs out of the box.

Software availability isn’t that much of an issue. Toolbox or Distrobox are easy to use and can be used for Signal.

1 Like

These are features :slight_smile:


Ubuntu is as secure as any regular well supported Linux distro. This means you will automatically get the security patches that fix known vulnerabilities.

The “insecurity” that actually matters (practically speaking) comes from the user unknowingly carrying out sensitive operations in a compromised environment, misconfiguring their system or installing malware.

Most distros are not going to be secure by design. They are designed for general purpose use which is antithetical to this goal. If this is what you want, you should consider using Qubes and other distros with a security focus.

Lack of H.264 decoding is not a feature. It’s a situation Fedora would very much like to change. They want to play as many codecs as possible, using free software encoders/decoders like x264, x265, …

Which one you will probably add anyway and all proprietary drivers/codecs will be available, also in Software Center, as well, 1 mouse click away from install.

Is installing the proprietary NVIDIA driver possible in GNOME Software? I ask because I don’t actually use it on Fedora. If so, that’s great to hear and the average user should be able to manage it.

Meanwhile, installing fully-featured ffmpeg with hardware decoding + libdvdcss is more involved and you need to add the rpmfusion-free repository manually, not through GNOME Software like for NVIDIA. What average user will be able to figure out what they need to do or even what they need by reading this page? Not to mention, it’s hard enough to figure out you need to enable RPM Fusion because Fedora’s docs don’t mention it (instead pointing you to OpenH264).

In my opinion, the easiest way to enable H.264 decode/encode on both Fedora Workstation and Silverblue is through Flatpak. You can do it graphically with GNOME Software. Though if you want hardware accleration, you need to install an extra runtime.

Ideally, this sort of thing should be enabled and included by default. H.264 is ubiquitous. Maybe OpenH264 will be installed by default in a few years once Fedora decides they no longer need the patent license from Cisco.

A nitpick: It’s wrong to refer to these codecs as “proprietary” because they are open standards, with encoders and decoders implemented by open source programs. Fedora has philosophically nothing against including them in their repositories. What prevents them from doing so is patents. There are plenty of patents for AV1 too, but Fedora builds ffmpeg with AV1 decoding support because AOM provides a royalty-free patent license.

I think Fedora documentation provides info to add both rpm-fusion repos with a single command. I do not remember now, but probably they could be enabled in Software center itself. As I need ffmpeg system-wide, I just layered it and I do not think a single command is hard to find and use for average user, most of them allready did first step, next steps are easier.

I’m attempting to avoid layering as much as possible (successful so far), and I don’t like that you need to uninstall and reinstall RPM Fusion repositories with a command before rebasing to a new major release. But I understand why that would be necessary if all the software you need is not available through Flatpak.

For the docs (I had some trouble navigating them; they separate it into Fedora Workstation and Quick Docs), I found these sections:

The second one is where the relevant information is, but it’s hard to find because it’s in the (much more useful and detailed, ironically) Quick Docs as opposed to Fedora Workstation docs. But I was wrong; they do actually point to it in the docs.

Rpmfusion repos are installed as local packages, you just need to layer them instead, no need to uninstall them when you rebase. Official wiki links this forum page Simplifying updates for RPM Fusion packages (and other packages shipping their own RPM repos) - Fedora Discussion and basically it is just a single command and reboot, than you forget about rpmfusion. I prefer to layer software like syncthing or rclone or even Brave browser rather than use flatpak alternatives with their limitations. Flatpaks are cool, but services, daemons, packages are cool too, lol. I mean flatpak can do ‘server things’, it is just not supposed for this, it wont do it better way, but worst way.

Edit. Sandboxing a sandbox (browser is a sandbox) is like installing Flatpak via Flatpak. Or running Syncthing inside sandbox, is like running a service with another service. There are tools for right job, sure you maybe could put nails into wood with bare hands, but why…

I read a lot of it at the time, but my impression was that I was supposed to run that command every time before rebasing. If you’re only supposed to run it once right after you configure RPM Fusion the first time, then there’s nothing to worry about.

Layering packages seems to add a significant amount of time to upgrades. That’s why I want to avoid doing it. I’d like to see some benchmarks for it, though… if I’m totally wrong about this, I’d be more open to it.

I like Verified Flatpaks because I get software straight from the developer, as intended, and up-to-date. Out-of-date packages are not uncommon for distributions. On the other hand, I really do not want to see system-level packages built for the distribution go away and don’t see how they can (except via Snap, I guess…). I use a lot of CLI programs (I’ve been an Arch user for a few years…), but I’ve found Toolbx works well for most of them.

You’re right about browsers distributed through Flatpaks. The sandbox actually replaces the browser’s sandbox, and Flatpak’s bwrap sandbox is worse. I say it’s the “easiest” option because it is; not that it’s the most secure option. Here’s what I do for browsers on Silverblue:

  • I keep the default Firefox install. I can’t play H.264 media because I’m not layering the openh264 packages, but most of the media I play day-to-day is also provided via AV1, and this is probably true for most people too. Most of my H.264/H.265 usage comes from local videos, not streaming.
  • I install Brave via Flatpak because it is the only Verified browser available and use it purely to play H.264 media and for some web dev tasks.

It is actually, if you enable third-party repos in the welcome window at install. However, if you have Secure Boot turned on, you will have to disable it for the driver to be loaded or else do some command line magic to roll your own key into grub2. I don’t think this is a realistic thing to expect from a new Linux user and could either lead to them running unverified commands, potentially compromising their system, or just breaking their install. Both outcomes do not align with Fedora’s recommendation instead of Ubuntu for its security advantages.

Ubuntu on the other hand detects your NVIDIA card and automatically installs the drivers while also letting you generate the keys to sign them right from the installer window. Additionally, they recently started experimenting with rolling the disk encryption key into the TPM2 chip (if your computer supports that) so that you can have FDE just like on Windows, without having to type your password twice.

Setting that up on Fedora is a challenge to say the least.


That will discourage people like me from using it. User-friendliness also means less time wasted, but less learned. I wonder how hard Ubuntu is to use compared to Windows.

1 Like

Wow, that does not sound great. I thought Fedora handled all of the Secure Boot stuff. But I guess the NVIDIA drivers are not officially supported…

I’d like to see where Nouveau is at by the time Fedora 41 (and Mesa 24.1) is out.

Ubuntu is pretty easy to use. Though, it can also depend on what you want to do, as to how easy it is. Linux Mint is a little easier, but doesn’t have a Wayland session, which I think is a hard requirement for PrivacyGuides.

I’ve personally never had a good experience with Ubuntu, but maybe that was just me…


Welp, since the thread has died down, I guess I’ll summarize my conclusions here.

  • There isn’t much clarity on whether Ubuntu’s updates are roughly on par with Fedora. A user pointed out that LTS versions in particular are at some security risk because of the way they manage updates, which I already assumed based on the warning about frozen distributions on Privacy Guide’s Linux Overview. It seems like this might be an issue with every point release distribution, including Fedora, but is considerably worse with “ancient” distributions like Debian and presumably others like Ubuntu LTS, RHEL, etc. I haven’t seen anyone claim this is also a major issue with the latest Ubuntu releases (at least in comparison to Fedora) though I haven’t seen confirmation that this isn’t the case either… So I’ll just assume it’s fine. (Again, relative to Fedora.)

  • The other main issue people seem to have with Ubuntu is Snap. Jonah says that (as of July 2023) the information in this post is still accurate, which honestly makes me want to do my hardest to re-try Fedora for a third time. Since their official Discussion forum and unofficial subreddit weren’t of any help, I guess I’ll look to more generic Linux support resources and hopefully someone can be of some help. If that doesn’t work out (and I gotta say, I’m not optimistic), I’m only left with returning to Ubuntu.

  • As I’ve discussed at much greater length, it’s extremely common for Privacy Guides to make soft recommendations with disclaimers for software/products that have issues, but are still worth mentioning as possible alternatives to what people might commonly use. I still think it’s worth considering adding Ubuntu as a soft recommendation along with some warnings, considering it’s probably a decent step up from Windows. Including an Ubuntu guide (as @jonah suggested) would be an awesome idea. Perhaps removing Snap (or replacing it with Flatpak) could be a part of said guide since it seems that Snap is one of the largest barriers to recommending Ubuntu. It’d be a nice option for users who (like me) were unable to get Fedora working. Others in this thread (and elsewhere on the forum) seem to be supportive of adding a soft Ubuntu recommendation and/or creating an Ubuntu privacy/security hardening guide. I’d love to hear if anyone from the PG team has any thoughts on whether they would consider it.


Use fedora or ubuntu or debian or opensuse or nixos
If you really want to use fedora.
Use nobara or

Nobara seems mature enough Workstation replacement, but other two projects seems like extra efforts over Silverblue and Kinoite, both giving not much in return, yet require more trust to …who?